Evernote in a recent blog post announced that it has implemented a service-wide password reset. This was due to a security breach where hackers attempted to “access secure areas of the Evernote service”. Evernote has instructed users to log in to the website to reset their password before logging in to desktop and mobile clients.
The post reveals that while user content and payment information was not compromised, it said that:
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
Reactions have quickly surfaced on user forums and social media. Users on the Evernote forum have expressed disappointment in the slow release of official information, with many finding out of the reset upon opening Evernote or through a third-party tweet or website. Users have also expressed hope that Two Factor Authentication will be implemented by Evernote to reduce the risk of future breaches.
The response on Twitter has taken a similar line, with many suggesting that the breach was inevitable.
Evernote Hacked. I’ve had that disturbing feeling this was inevitable. rootzwiki.com/news/_/article…
— Sani (@SGusau) March 2, 2013
Welp, looks like another breach notice from Evernote this time. Anyone keeping track if how many disclosures per week 2013? #cybersecurity
— Brandon Wu (@wuzer) March 3, 2013
In enforcing the change, Evernote has recommended to users that passwords are not used across multiple websites, and that users should avoid using passwords based on “dictionary words”. However, it remains to be seen what steps Evernote will take to ensure system integrity and security into the future.